RE: IIS6 on W2k3 DCs

From: Depp, Dennis M. (
Date: 01/19/05

  • Next message: Moritz Naumann: "Re: PGP and Outlook"
    Date: Wed, 19 Jan 2005 08:16:23 -0500
    To: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <>

    The fact that IIS can be made secure does not mean it should be
    installed on a domain controller. When IIS is installed on a Domain
    Controller the impact of a sucessful hack is much greater than when it
    is installed on a member server. If I compromise an IIS machine, I can
    gain access to all the user accounts stored on this machine. In the
    case of a Domain Controller, this gives me access to every account in
    the Domain. From here I have access to all the data stored on Windows
    machines in your network.

    If the machine that is compromised is a member IIS server the hacker
    will only have access to the local accounts and passwords. While they
    can still use this to attack the domain controllers, they will have some
    additional effort involved.

    While I can protect each IIS server equally well, the damage potential
    of the IIS server on a DC is much greater. This is why it is considered
    a best security practice not to place IIS on a DC.


    -----Original Message-----
    From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
    Sent: Wednesday, January 19, 2005 1:55 AM
    To: Depp, Dennis M.
    Cc: Sullivan Tim P;
    Subject: Re: IIS6 on W2k3 DCs

    Aren't we all missing something here as far as this discussion of
    additional protection and IIS in general?

    Didn't an IIS server survive OpenHackIV with IIS, SQL and IPsec? [IIS
    5 even]

    *Using IPsec for Network Protection. Part 1 of 2*
    Last month I introduced you to IPsec, a wonderful but sometimes
    bewildering bit of technology. Now that you understand what it is and
    how it works, this month I'd like to highlight IPSec's ability to help
    solve three common security problems.

    I know about it...but know that I need wizards to help me do it
    right..... but that's just me. I like wizards to help me do my job.
    Command lines that include "netsh ipsec static add filter" needs to be
    made easier IMHO.


    Depp, Dennis M. wrote:


  • Next message: Moritz Naumann: "Re: PGP and Outlook"

    Relevant Pages

    • Re: IISlockdown doesnt allow asp !!!
      ... You IIS server is a DC right? ... > It's bcos i can't access the "Domain Controller Security Policy", ... go to your Domain Controller Security policy. ...
    • Re: Flame Bait! Windows vs: The Unices
      ... IIS, SQL, domain controller, etc. all from MS, you know, the typical ... the "toolbox" basic functionality of UNIX systems ... doing anything useful that quickly on a Windows machine. ...
    • Re: aspnet_wp.exe could not be started
      ... the issue you are dealing with is that domain controllers do not have local accounts and for security, iis, aspnet and sqlserver have been converted to local limited priv accounts in their installation. ... it sounds like you've got sqlserver (its pretty simple because it will setup the account privs). ... Before you start lecturing me on my setup, I am a professional developer and the reason I have IIS running on a domain controller is that I have a small development network with a server and a couple of workstations. ...
    • RE: Question on NTLM authentication.
      ... Domain controllers don't store user passwords by default. ... machines through IIS, even if it is running on a domain controller. ... to a remote machine than the NTLM hash that a normal IIS member server ...
    • RE: IIS6 on W2k3 DCs
      ... DC on one, mail on another, web server on another. ... But Small Business Server 2003 runs with IIS on our domain controller. ...